Privacy Policy

Last Updated 7/5/17:

PRIVACY POLICY OVERVIEW

The Board of Directors recognizes the responsibility of the Oakwood Bank and its employees to safeguard the financial records and personal information of the Bank’s customers. Various state and Federal acts, laws and regulations govern the customer’s right to privacy. Furthermore, failure to maintain customers’ confidential information can result in civil lawsuits and/or loss of reputation.

The Board of Directors also recognizes the responsibility the Bank and its employees must safeguard the personal information of the Bank’s employees. Various state and federal acts, laws and regulations govern the employee’s right to privacy. Furthermore, failure to maintain the employee’s confidential information can result in civil lawsuits.

In addition, the Board of Directors recognizes the importance of safeguarding proprietary information regarding the Bank and its past, current and future business affairs.

For the reasons indicated above, the Board is establishing this Privacy Policy.

Definitions

Affiliate: any company that controls, is controlled by, or is under common control with another company.

Clear and conspicuous: means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice.

Consumer: an individual who obtains or has obtained a financial product or service from the Bank that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.

Customer: a consumer with whom the Bank has a relationship.

Nonpublic personal information: personally identifiable financial information; and any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available.

Applicability

This policy will apply to any person or entity performing any type of service for the Bank. In this policy, “employee(s)” will refer to any of the preceding.

Data (Confidential Data)

All financial and personal information about the Bank’s customers and employees is considered confidential data. All non-customer information concerning the affairs of the Bank is also considered confidential data. Confidential data includes but is not limited to the following:

Customer

Customer’s social security number, driver’s license number, etc.

Customer’s deposit account numbers, balances, transactions, etc.

Customer’s loan information

Information regarding any other services used by the customer at the Bank

PRIVACY NOTICES

Initial Privacy Notice

The Bank must provide an initial privacy notice at the time a consumer becomes a customer. For loans, a customer relationship is established with a consumer when the Bank originates or acquires the servicing rights to a loan to the consumer for personal, family, or household purposes. If the servicing rights to the loan are transferred, the customer relationship transfers with the servicing rights.

Content of Privacy Notice

The Bank uses the Model Privacy Form found in the Appendix of Regulation P along with the instructions that the regulation provides.

Customers’ Right to Opt Out of Privacy Notice

If the Bank engages in information sharing that requires it to issue an opt out notice, the Bank must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out. The customer may provide the opt out notice together with or on the same written or electronic form as the initial notice. The notice must state:

That the Bank discloses or reserves the right to disclose nonpublic personal information about the consumer to a nonaffiliated third party;

That the consumer has the right to opt out of that disclosure; and

A reasonable means by which the consumer may exercise the opt out right.

The Bank must comply with a consumer’s opt out direction as soon as reasonably practicable after receipt. A consumer may exercise the right to opt out at any time. A consumer’s direction to opt out is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.

When a customer relationship terminates, the customer’s opt out direction continues to apply to the nonpublic personal information that the Bank collected during or related to that relationship. If the individual subsequently establishes a new customer relationship, the opt out direction that applied to the former relationship does not apply to the new relationship.

Revised Privacy Notices

The Bank must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third-party other than as described in the initial notice that the Bank provided to that consumer, unless:

The Bank has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;

The Bank provided the consumer with a new opt out notice;

The Bank has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and

The consumer does not opt out.

Method of Delivery of Privacy Notices

The Bank must provide any privacy notices and opt out notices so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically. The Bank may “reasonably expect” that a consumer will receive actual notice if the Bank:

Hand-delivers a printed copy of the notice to the consumer;

Mails a printed copy of the notice to the last known address of the consumer;

For the consumer who conducts transactions electronically: post the notice on the electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a financial product or service; or

For an isolated transaction with the consumer, such as an ATM transaction, post the notice on the ATM screen and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining the financial product or service.

The Bank may not “reasonably expect” that a consumer will receive actual notice of privacy policies and practices if it:

Only posts a sign in a branch or office or generally publishes advertisements of privacy policies and practices; or

Sends the notice via electronic mail to a consumer who does not obtain a financial product or service electronically.

The Bank may not provide a privacy notice solely by orally explaining the notice, either in person or over the telephone.

For customers only, the Bank must provide privacy notices so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically. The notice is provided in a way that the customer can retain or obtain later if:

A printed copy of the notice is hand-delivered to the customer;

A printed copy of the notice is mailed to the last known address of the customer; or

The Bank’s current privacy notice is made available on a website for the customer who obtains a financial product or service electronically and agrees to receive the notice at the website.

Annual Privacy Notices

The Bank must provide a clear and conspicuous notice to customers that accurately reflects the Bank’s privacy policies and practices not less than annually during the continuation of the customer relationship. “Annually” means at least once in any period of 12 consecutive months during which that relationship exists. The Bank may define the 12-consecutive-month period, but the Bank must apply it to the customer on a consistent basis.

The Bank is not required to provide an annual notice to a former customer.

The Bank may reasonably expect that a customer will receive actual notice of the annual privacy notice if:

The customer uses the Bank’s website to access financial products and services electronically and agrees to receive notices at the website, and the Bank posts its current privacy notice continuously in a clear and conspicuous manner on the website; or

The customer has requested that the Bank refrain from sending any information regarding the customer relationship, and the current privacy notice remains available to the customer upon request.

The Bank may use an alternative method (described below) to provide the annual privacy notice if:

The Bank does not disclose the customer’s nonpublic personal information to nonaffiliated third parties;

The Bank does not include on the annual privacy notice the Fair Credit Reporting Act opt out regarding sharing information with persons related by common ownership or affiliated by corporate control;

The requirements of Section 624 of the Fair Credit Reporting Act, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements;

The information the Bank is required to convey on the annual privacy notice has not changed since the Bank provided the immediately previous privacy notice (whether initial, annual, or revised) to the customer, other than to eliminate categories of information the Bank discloses or categories of third parties to whom the Bank discloses information; and

The Bank uses the Model Privacy Form located in Regulation P’s Appendix.

If the above requirements are met, the Bank satisfies the annual privacy notice requirements if it:

Conveys in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure the Bank is required or expressly and specifically permitted to issue to the customer under any other provision of law that the privacy notice is available on the Bank’s website and will be mailed to the customer upon request by telephone. The statement must state that the privacy notice has not changed and must include a specific web address that takes the customer directly to the page where the privacy notice is posted and a telephone number for the customer to request that it be mailed;

Posts the current privacy notice continuously and in clear and conspicuous manner on a page of the Bank’s website on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page; and

Mails the current privacy notice to those customers who request it by telephone within ten days of the request.

Third Party Affiliations

The Bank has numerous third party vendors occasionally provided with confidential data. Depending on how confidential the data is, the Bank will perform some due diligence to determine whether the third-party vendor follows similar or more stringent privacy procedures.

Oakwood Bank does not disclose any nonpublic personal information about customers or former customers to anyone, except as permitted by law.

Training

All employees will receive information and/or training on the requirements discussed in this policy.

Enforcement of Policy

Each employee’s supervisor will be responsible for the appropriate application of this policy. The institution’s Chief Compliance Officer (CCO) will ultimately be responsible for the appropriate application of this policy.

Noncompliance with Policy

Noncompliance with this policy may result in immediate termination. If applicable, noncompliance may result in a criminal referral to federal and other authorities.

Comments of Complaints by Customers

Any person may make a comment or complaint about this policy, any privacy-related issue or any inaccuracy in customer data by contacting the Bank’s CCO. If appropriate, the Bank’s CCO will respond to all comments or complaints within 30 days. Any customer data discovered to be inaccurate will be changed appropriately.

Exceptions

Requests for any exceptions to the Policy must be submitted in writing to the Compliance Officer.

Violations of the Policy

Violations of the Privacy Policy may result in internal control weakness and/or non-compliance with applicable laws and regulations. Violations should be promptly reported to the Compliance Officer. Violations may result in employee disciplinary action including termination of employment in accordance with Bank policies and applicable law.

Following a determination of non-compliance, the respective Bank employee or group is required to establish an appropriate action plan to close the gap in a time period agreed to by the CCO. The plans must be documented with a timeline for the action plan and an identified responsible party to oversee implementation of the action plan. Further action may be deemed necessary by the CCO and/or other Bank leadership.

OAKWOOD BANK PRIVACY PRINCIPLES

Recognition of a Customer’s Expectation of Privacy

Oakwood Bank recognizes and respects the privacy of our customers. Oakwood Bank has established policies and procedures to prevent misuse of our customers’ confidential and private information.

Use, Collection and Retention of Customer Information

Oakwood Bank does not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law. Oakwood Bank collects, retains and uses information about individual customers only where it is allowed by law and the institution reasonably believes it is useful in administering the institution’s business, and in providing products, services and other opportunities to our customers. Oakwood Bank does not currently sell data. Additionally, Oakwood Bank does not have any future plans to change our policy on selling data. In the event that the institution begins to sell customer data, the customer will be notified and presented with the opportunity to “opt out,” whereupon that customer’s personal data will not be sold.

Maintenance of Accurate Information

Oakwood Bank has established procedures to ensure that our customer’s financial information is accurate, current and complete in accordance with reasonable commercial standards. Oakwood Bank will respond in a timely manner to customer requests to correct inaccurate information.

Limiting Employee Access to Information

Oakwood Bank limits access to our customer’s confidential and private information to employees with legitimate business reasons for knowing such information. Oakwood Bank will educate our employees about the importance of confidentiality and customer privacy. Employees will be appropriately disciplined for any failure to comply with these “Privacy Principles”.

Protection of Information via Established Security Procedures

Restrictions on the Disclosure of Account Information

Oakwood Bank does not reveal specific information about our customers or their transactions to unaffiliated third parties for their independent use, unless the information is provided 1) to help complete a customer-initiated transaction, 2) to help administer the institution’s bona fide business, 3) at the customer’s request, 4) to comply with a legal requirement (i.e., subpoena), 5) to a reputable information reporting agency (i.e., credit bureau) or 6) after the customer has been informed about the possibility of such disclosure through prior communication and is given the opportunity to decline (i.e., “opt out”).

Maintaining Customer Privacy in Business Relationships with Third Parties

Whenever Oakwood Bank does provide specifically identifiable customer information to a third party, Oakwood Bank insists that the third party adhere to similar “Privacy Principles” that provide for keeping such information confidential.

Disclosure of “Privacy Principles” to Customers

Oakwood Bank will make the “Privacy Principles” available to our customers to give them a better understanding of our commitment to safeguarding confidential and private information.

Special Information Applicable to Electronic (Internet) Banking

Oakwood Bank “Privacy Principles” will apply to customers’ confidential and private information regarding both traditional and non-traditional (i.e., Internet) banking activities. However, due to the unique nature of the Internet and the ease with which information can be exchanged, Oakwood Bank feels it is important for customers to be aware of the unique issues surrounding Internet Banking.

To better serve legitimate Internet Banking customers:

Oakwood Bank collects generic information about visitors to our website. This information includes the date and time of access, the Internet service provider’s address, the web browser used, and the visitor’s physical location.

Oakwood Bank requires customers to utilize specific passwords for access to confidential and private information. Oakwood Bank reminds customers of their responsibility to safeguard login IDs and passwords. In addition, commercial customers should carefully screen those employees to whom user IDs and passwords are granted.

Oakwood Bank utilizes encryption, firewall, router, third party verification procedures and other security software and hardware to help prevent unauthorized eavesdropping of and access to customers’ confidential and private information.

Oakwood Bank reminds all customers that links in the institution’s website can be linked to websites not under our control. These websites will not necessarily comply with Oakwood Bank “Privacy Principles” and security standards.

Oakwood Bank reminds all of our customers that confidential and private information may be compromised in both traditional and non-traditional banking activities. Oakwood Bank can only establish policies and procedures to help restrict use of and access to confidential and private information. If any Oakwood Bank customers believe that confidential and private information has been compromised, please contact Oakwood Bank immediately so that the potential breach can be investigated.

Comments or Complaints by Customers

Any comments or complaints about this policy, any privacy-related issue or any inaccuracy in customer data can be made by contacting: